Air Force seeking hackers as military prepares for its largest bug bounty program yet

Key Points
  • Payouts in the Air Force's upcoming bounty program could go into the "tens of thousands" of dollars.
  • The military says bug bounty programs can provide more bang for the buck than using government contractors.
  • Sponsored hacking events are seen as a recruitment opportunity for identifying new talent for government cybersecurity jobs.
David Woolfall | Getty Images

Hackers may be a menace and in some cases responsible for unleashing global chaos, but the U.S. Air Force is embracing some of them with open arms.

Online registration began this week for the service's first civilian bug bounty program, designed to find website and network security vulnerabilities. The Air Force said the event is still going ahead despite a weekend of hacking that caused cyber chaos in at least 150 countries.

"The kind of paradigm shift these days is, it's good to have outside people kind of look in at you," Peter E. Kim, Air Force chief information security officer, told CNBC. "It's a learning experience for us in how we can better secure and defend our systems."

Kim is responsible for the Air Force's cybersecurity program and information systems strategies for a service that has about 660,000 personnel and millions of computers.

According to Kim, the cyber-threats today are not just from individuals but from nation-states bent on causing havoc to networks and systems, stealing identities and information, or finding out operational plans.

The U.S. military has come under criticism over the years because of reports it was still using 1970s-era floppy disks on important weapons command or control systems. Also, many computers used by the Pentagon still run on outdated Windows XP operating systems, and those without public Internet access might have the even older Windows 95 or 98.

"I'm not going to pretend that things like that [floppy disks] don't exist," said Kim. "For the most part, they don't. The Air Force has done a great job in the last two years to modernize that stuff and get off floppies."

Kim said the military isn't the only one with outdated computer tech. "Companies all over the world, including bigger companies, are still on obsolete, outdated software. Sometimes it's not easy, because I know some of these are pretty sensitive systems."

The "Hack the Air Force" program is coordinated through HackerOne, a San Francisco-based cybersecurity bug platform that last year handled similar initiatives by the U.S. Army and Pentagon. HackerOne's website describes the Air Force's program as "the largest Department of Defense bug bounty challenge yet."

The bounty amounts will vary depending on the severity of the find, although Kim said a really significant vulnerability could potentially result in a payout in the "tens of thousands" of dollars.

Registration for the Air Force's program started Monday and runs through May 29, and the invited hacking is scheduled to begin May 30 and runs through June 23.

The event is open to U.S. citizens as well as hackers from other so-called "Five Eyes" intelligence alliance countries: Australia, Canada, New Zealand and the U.K.

Kim describes the hackers as "typical young millennial digital expert[s]."

After the hacking ends, the focus will turn to "fixing all the vulnerabilities and maybe instituting potential mitigations and fixes to our public-facing assets," said Kim.

The Air Force has thousands of websites and webpages that can be viewed by the general public. Cybersecurity teams in the U.S. government regularly conduct security scans on the perimeter sites but even that may not be enough to prevent a determined hacker who wants to infiltrate and cause harm to one of the service's websites.

"It would be good for us to really know what our vulnerabilities are," he said.

Kim said the bug bounty program is specifically focused on the service's public-facing websites "because that's probably the easiest and lowest-hanging fruit for anyone who wishes to do us harm — to come at us through the web servers."

The military's approach to finding cyber-risk borrows from the playbook of private industry.

"Facebook has been doing this for years — attacking their own environment, seeing what's vulnerable and fixing the vulnerabilities," Kim said. He added that Alphabet's Google, Amazon, Netflix and other tech firms also have similar programs.

Indeed, tech firms have handed out millions of dollars in bounties over the years as a way to stay ahead of bad actors and close vulnerabilities.

The military's bug bounty programs may not run into the millions of dollars like some tech firms' do, but they still are seen as a success compared with the alternatives.

"Before this, we just used our own internal assets, like any company does," said Kim. "We have Air Force people that look at the perimeter and look for vulnerabilities and fix them."

He said the military has sometimes outsourced finding vulnerabilities to government contractors. "That, quite frankly, has some mixed results," he said.

Kim recalls hearing a story that the Defense Digital Service — a U.S. government agency — tells about a particular government services firm that was paid about $1 million to find cyber-risks but "only came up with 10 low-level vulnerabilities over the course of 12 months." However, once the agency invited hackers to do the bug bounty program for the Pentagon, "within minutes they got some serious high vulnerabilities."

In fact, within the first six hours of the "Hack the Pentagon" program's launch in April 2016, there were about 200 reports initiated and about $75,000 in total bounties paid off.

Similarly, the "Hack the Army" program, which ran Nov. 30 to Dec. 21, had just over 370 registered participants, and the first vulnerability was reported within just 5 minutes of the program launch. Total bounties paid in the Army program approached around $100,000.

"So the payoff is huge," said Kim. "There's never a better opportunity than having real live hackers going at you to see what's vulnerable and giving you … that information so you can actually fix [it] yourselves."

At the same time, the military sees an opportunity for the U.S. government to harness the talent of some participants of the bug bounty program.

"These folks are potential future recruits for defending our nation or defending our Department of Defense, defending the U.S. government from cyberattack," said Kim. "I always say the best defender is usually someone who knows the offense and the attack side and so knows their tactics and techniques and procedures."

Kim said he's had the chance to meet a few hackers participating in the defense-related bug bounty programs and describes them as people who enjoy the thrill of hacking but also "have a sense of duty and patriotism, surprisingly enough, to help us shore up our network defenses."

Watch: Hacker says Trump needs cybersecurity comm. of experts

Notorious hacker says Trump needs cybersecurity committee of experts